[Curdle] Client-side SSH_MSG_EXT_INFO: Use it or lose it principle!
denis bider <denisbider.ietf@gmail.com> Sun, 26 April 2020 12:03 UTC
Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F32D23A0B49 for <curdle@ietfa.amsl.com>; Sun, 26 Apr 2020 05:03:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m9dbw8hLXm-p for <curdle@ietfa.amsl.com>; Sun, 26 Apr 2020 05:03:33 -0700 (PDT)
Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C153A3A0B40 for <curdle@ietf.org>; Sun, 26 Apr 2020 05:03:33 -0700 (PDT)
Received: by mail-ot1-x32b.google.com with SMTP id b13so21190579oti.3 for <curdle@ietf.org>; Sun, 26 Apr 2020 05:03:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=1Re1bV2GT3AH6RcRK/BkWHD0ciXq6oLYf5skLiVNKZA=; b=mnT3KwKcx++NFu02ciENB3OPvDwJyCas2C45AK8CJ2WQQa/4Cv3KsfRzzI/adgAVBr iehW4ZNN4379Phb7uj0hzd6QKXtkJz+vpRo81zVZspxixniYzwDJulkwRWv2gVsccEd1 A6LWY7K6V18QXUaDJEpfgUMl7N/1UlzYTEw6mIznTB8ypZqfzzkE3VYMStCKzH7pn9R5 4TII5JUunPkAA2gxokvgsA7oTeuWFB7zHhhpaD3jPCGsGVUnEEHm7LqWmxGxitHet2zj mUUl6dB2bUiWDySGBsKepsyMY9UV8V4WxrzXh1/s9bhIhihfh6MOr/8GkbN1+SwxvQNU K7cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=1Re1bV2GT3AH6RcRK/BkWHD0ciXq6oLYf5skLiVNKZA=; b=kLPUg0nCr2wyLyrRnUw7XuOHfZcCc4WjdiRDB6z+4/kH/Ik9t0ykchD0739ow7Digz ueO1ymwC/yDxYc423d8f4vbqRNECpBJPwVJWauCuOfr1fiWA/qRMQMxQZNPEzo16Ax45 znW1pgchNzuh14dgcVkNV8LXa0QBac1r9X0dm2+tyDSwyPdK9vP3tCIHgxsFUu+C6nZs AJ4wrxKLczo+p/iH3YvM0Qfm7dwCmtcR+u5Suzqtago5ahrE0lPX3HwxSRXF6q4NergW BwoGfNJpk9j6ll2dY7ulQJezbpSSeEwCztbgfIzXCbusWtZnSChHjTQvT4Q4FkDVmHA1 RCLA==
X-Gm-Message-State: AGi0PuaPQtxjP47EqiBEmI/td58pO73v94njt8PXOYCsHPovrnnXOICh iIw9melcJz4QPyxsSmJEFVDeFCudBGsfyZ3nVBMjrhh7U/Q=
X-Google-Smtp-Source: APiQypL2IkXkQSM3AEpq5dKszyTBMZuVwDnxWlL9d1FeLTiQxS1KtBczxB4a8k17/brUxNdyktNbgNzHp9UX7+agMKM=
X-Received: by 2002:a9d:874:: with SMTP id 107mr14758620oty.220.1587902612750; Sun, 26 Apr 2020 05:03:32 -0700 (PDT)
MIME-Version: 1.0
From: denis bider <denisbider.ietf@gmail.com>
Date: Sun, 26 Apr 2020 07:03:21 -0500
Message-ID: <CADPMZDBcOtUaUBJKn20yEpLi=pmse2SgiXpZXArAKLyKTeS-GQ@mail.gmail.com>
To: curdle <curdle@ietf.org>, ietf-ssh@netbsd.org, Damien Miller <djm@mindrot.org>
Content-Type: multipart/alternative; boundary="0000000000002bc59305a43063f4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/Z7r4JW420XFVpXLsPsbCYAUY7zA>
Subject: [Curdle] Client-side SSH_MSG_EXT_INFO: Use it or lose it principle!
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2020 12:03:36 -0000
Hey all: it has come to my attention that at least one SSH server implementation (a) advertises support for SSH_MSG_EXT_INFO as defined in RFC 8308, and (b) disconnects on actual receipt of an EXT_INFO message from the client. This happens when we define a general mechanism, but then the most widely used implementations only use certain aspects of it. Lots of implementations now support EXT_INFO sent by the server because it's needed for RSA-SHA2 signatures, but only a handful implementations send EXT_INFO by the client. Bitvise SSH Client sends EXT_INFO if the server supports it. It's free to use or test with - but it runs on Windows and lots of people don't want to test with that. It's possible that your implementation has no need for any of the extensions that would appear in EXT_INFO from the client. However, if you wish for this extensibility to be available in the future, then if your client supports EXT_INFO, I would strongly suggest that it sends it. If you want to send a client-side EXT_INFO that takes minimal effort, I suggest: 1. Ensure that your SSH client can correctly handle SSH_MSG_GLOBAL_REQUEST received at any point. Your client should not disconnect when it receives this message, or act like it received a channel open failure if it receives a global request when it's waiting for a channel open confirmation. These are the two most common error modes relating to global requests. 2. Once you have ensured the above, if the server supports EXT_INFO, send a client-side EXT_INFO implementing the extension "global-requests-ok" as defined in this draft: https://tools.ietf.org/html/draft-ssh-global-requests-ok-00 This tells the server that your client properly implements global requests so that the server can use them for things like active keep-alives. Implementing this would take minimal effort and would help ensure that client-side EXT_INFO remains an available extension mechanism 10 years down the road for SSH. denis
- [Curdle] Client-side SSH_MSG_EXT_INFO: Use it or … denis bider
- Re: [Curdle] Client-side SSH_MSG_EXT_INFO: Use it… Ron Frederick
- Re: [Curdle] Client-side SSH_MSG_EXT_INFO: Use it… denis bider
- Re: [Curdle] Client-side SSH_MSG_EXT_INFO: Use it… Peter Gutmann
- Re: [Curdle] Client-side SSH_MSG_EXT_INFO: Use it… denis bider
- Re: [Curdle] Client-side SSH_MSG_EXT_INFO: Use it… denis bider
- [Curdle] Fwd: Client-side SSH_MSG_EXT_INFO: Use i… denis bider
- Re: [Curdle] Client-side SSH_MSG_EXT_INFO: Use it… Ron Frederick
- Re: [Curdle] Client-side SSH_MSG_EXT_INFO: Use it… denis bider